To properly logout from Keycloak v18+ I need to construct the following url:
http://localhost:8081/realms/%REALM_NAME%/protocol/openid-connect/logout?post_logout_redirect_uri=%ENCODED_URI%&id_token_hint=%ID_TOKEN_HINT%
My question related to id_token_hint. I may extract a token hint value from Spring Security OAuth2AuthenticationToken. Right now, I don't understand the lifetime of this token. Does it have an expiration date? Does it specific for each browser session? For example, what if the same user will open two different browsers and log in under the same credentials. What if the user will do a log-out from one browser? Will the Keycloak session be automatically terminated in the second browser?
I'm asking about id_token_hint because I need to store it somewhere on my server for each user, so I need to understand - is it okay to store the latest id_token_hint issued for each user(regardless of which browser and for which session it was issued) or do I need to store all of them and distinct them somehow (how, based on what)?
Does it have an expiration date?
Just as an access token, the id token has an expiration time. Every-time one uses the refresh token to get a new access token from the Keycloak server one can also request a new id token.
Does it specific for each browser session? For example, what if the same user will open two different browsers and log in under the same credentials. What if the user will do a log-out from one browser? Will the Keycloak session be automatically terminated in the second browser?
In Keycloak, the id token is tight to a user session, you can see that on the claim 'sid' (i.e., session id) presented on the aforementioned token. If you get a new id token, in the scope of the current user session (e.g., getting a new id token using the refresh token mechanism) the 'sid' will remain the same, however the value for the "jti" (i.e., The unique identifier for this token.) claim will change. Hence, it is a new id token but tight to the same user session.
If you make a completely new request to the token endpoint without using the refresh token mechanism (e.g., a user authenticating on a different browser) you will get a new id token thigh to the newly create session id.
Regarding the logout behaviour according to the OpenID Connect RP-Initiated Logout:
When an id_token_hint parameter is present, the OP MUST validate that it was the issuer of the ID Token. The OP SHOULD accept ID Tokens when the RP identified by the ID Token's aud claim and/or sid claim has a current session or had a recent session at the OP, even when the exp time has passed. If the ID Token's sid claim does not correspond to the RP's current session or a recent session at the OP, the OP SHOULD treat the logout request as suspect, and MAY decline to act upon it.
Based on this, my assumption is that Keycloak will logout the user session coded on the claim 'sid' in the id token.